Person identification control method and system for implementing same

ABSTRACT

The invention relates to a person identification control method and to a system for implementing same. The inventive method comprises the following steps consisting in: detecting biometric data ( 23, 48, 79, 94, 108 ) relating to at least one person; seeking a concordance between the biometric data relating to the person and biometric data that have been pre-stored in a biometric database ( 26, 51, 83, 97, 110 ), said pre-stored biometric data relating to persons for whom identification means have already been generated; and, when no concordance is found, generating an identification means ( 29, 56, 84, 98, 103, 111 ) that is associated with the person from the biometric data relating to the person and at least one identity ( 24, 49, 80, 95, 117 ) for said person.

The present invention relates to the identification control of persons.It relates more especially to the generation of a unique means ofidentification of persons.

An especially beneficial application of the invention, although notexclusive, consists in controlling the granting of entitlements topersons having obtained a unique means of identification.

The term “entitlement” is to be understood in its widest acceptance, thegranting of an entitlement to a person being understood as the concreterealization of a possibility offered to this person. By way of example,a person may have a driving license, a building access badge, atransport pass be granted to them, or else be allocated a retirementfund, compensation or else a refund within the context of a socialsecurity system for example, etc.

The granting of such entitlements is confronted with a problem ofuniqueness, in so far as one generally does not wish to grant the sameentitlement to the same person several times.

Thus, certain current systems operate according to the followingprinciple: a person wishing to have an entitlement granted to themfirstly states their identity (for example their surname and forenames),then a check of this identity is performed with means that are generallylimited and rather unreliable. Next, a check is made to verify whetherthe person bearing this identity has not already received theentitlement claimed, for example by consulting a database wherein arestored the identities of all the persons having already acquired therelevant entitlement. If the check shows that the person has not alreadyacquired this entitlement, the latter is then granted to them and thisinformation is taken into account in the database.

However, if the relevant person has usurped one or more identities, theycan obtain the entitlement a number of times equal to the number ofidentities that they present to the system. The uniqueness of grantingentitlements is not. therefore ensured in such systems.

Furthermore, such systems grant entitlements in conjunction with theidentity of the persons, so that they do not make it possible to grantentitlements to persons by virtue of their capacity, for example theirmembership of an association of anonymous individuals.

To limit these drawbacks and in particular to make the identification ofpersons more reliable, it is known to use biometric data associated withpersons. The resulting principle is illustrated in FIGS. 1 and 2.

FIG. 1 shows a prior phase of so-called enrollment, in the course ofwhich a means of identification of a person is generated, this means ofidentification creating a tie between the biometric data of the personand their identity. Thus, the person 1 possesses a biometry 3, that isto say biometric data characterizing them, such as fingerprints,characteristics of the iris of their eyes, etc. The person 1 statestheir identity 4, which is then verified (step 5). Next, an associationis made between the biometry 3 and the identity 4 of the person 1 (step6). This association is finally stored on a means of identificationassociated with the person 1. The means of identification is typicallyheld by the person themselves, so that they alone possess a trace of theassociation between their biometry 3 and their identity 4. Such a meansof identification associated with a person is commonly called abiometric token. It may for example take the form of an identity card onwhich the fingerprints of the person have been affixed.

FIG. 2 shows a subsequent phase of granting an entitlement. A person 2claiming the granting of an entitlement must have been the subject of aprior enrollment according to the principles illustrated in FIG. 1. Thebiometry 8 of this person is then compared with that which was kept onthe biometric token 9 associated with this person during theirenrollment. If the biometries match (step 10), it is then possible toretrieve the identity of the person 2 in a relatively reliable manner(step 11) on the basis of the identity that they stated, forverification, during their enrollment, and which was stored on thebiometric token 9 in association with the biometry 8 of this person.Thereafter, in step 12, a check is made to verify whether theentitlement in question has already been obtained in relation to theidentity retrieved. To do this, a search is performed for the presenceof said identity in a database 13 storing the identities of the personshaving acquired the entitlement in question. If the person 2 had not yetacquired the entitlement, the latter is finally granted to them in step14 and this information is taken into account in the database 13.

This mode of operation therefore improves the reliability of theidentification of a person, since the identity stated by each person andverified during their enrollment is retrieved on the basis of thisperson's own biometric data and of the biometric token previously issuedto this person.

However, it does not guarantee the uniqueness of the granting ofentitlements. Specifically, a person possessing several biometrictokens, obtained during successive enrollments, may get an entitlementgranted several times, with a different biometric token each time. Thisis especially true when the person obtains several biometric tokens withdifferent identities for each token, this possibly occurring inparticular when step 5 of verification of the identity is of lowreliability.

A known and effective way of remedying this problem consists in storing,in a centralized database, an association between the biometry and theidentity of each person. FIG. 3 illustrates a phase of enrollment inaccordance with this mode of operation. The person 15 possesses abiometry 16 and states an identity 17 which is verified by a check instep 18. In step 19 a check is made to verify whether a biometric tokenhas already been allocated to the person 15 by searching for thepresence of the stated identity 17 in the database 20 of the identitiesstoring the biometry/identity pairs of the persons for which a biometrictoken has already been generated. If the person 15 did not yet have abiometric token, one is then generated for them in step 21, therebyguaranteeing that a single biometric token is generated for each person.The database 20 is finally updated to take account of the generation ofthe new token.

Subsequently, an entitlement can be granted as in the case illustratedin FIG. 2, if need be.

However, the mode of operation illustrated in FIG. 3 requires thatbiometric data and identities of persons be placed in correspondence ina database 20. Such a correspondence is rather undesirable since itcould be used for purposes other than the simple granting ofentitlements and thus run counter to individual freedom. It would evenbe contrary to legal provisions in respect of the protection ofindividual freedom in certain countries.

An object of the present invention is to limit the abovementioneddrawbacks, by permitting an identification of persons which does notimpede individual freedom.

Another object of the invention is to improve the reliability of theuniqueness of the means of identification associated with persons, witha view for example to affording control of the granting of entitlementsto these persons, without thereby creating a database linking for eachperson, their biometry and their identity.

Another object of the invention is to limit the possibilities of fraudduring the granting of entitlements.

Yet another object of the invention is to allow control of the grantingof entitlements to persons without consideration of their identity.

The invention thus proposes a method of identification control ofpersons, comprising a phase of generating a unique means ofidentification associated with at least one person comprising thefollowing steps:

-   /a/ detecting biometric data relating to said person;-   /b/ searching for a match between the biometric data relating to    said person and biometric data previously stored in a biometric    database, said previously stored biometric data relating to persons    for which means of identification have been previously generated;    and, when no match has been found:-   /c/ generating a means of identification associated with said person    from biometric data relating to said person and at least one    identity of said person.

Step /b/ of the method thus makes it possible to ensure that a means ofidentification, for example a biometric token, has not already beenassociated with the relevant person in the past. One thus limits thepossibilities of the same person obtaining several means ofidentification.

According to an advantageous embodiment of the invention, the methodfurthermore comprises a second phase of granting at least oneentitlement to said person, in which:

-   /e/ said person identifies themselves with the aid of the means of    identification which has been previously associated therewith; and-   /f/ said entitlement is granted to said person when said entitlement    has not already been granted to said person a number of times equal    to a predetermined number.

The granting of entitlements being subject to identification of theperson on the basis of the unique means of identification previouslygenerated for said person, the person is thus prevented from being ableto have entitlements granted several times by identifying themselves onthe basis of distinct means of identification.

The phases of the method are applied to at least one person, that is tosay a biometric token is associated with a given person or with a groupof given persons. Likewise, the entitlement or entitlements are grantedto a given person or to a group of given persons.

In a particular embodiment of the invention, a check of the identity ofthe person is performed before step /b/.

The granting of the entitlement is performed on the basis of anidentifier, which may be the identity of said person or else anidentifier of the biometric token which has been associated therewith(anonymous mode).

In a particular embodiment of the invention, the identifier of abiometric token is revoked before generating another one for the sameperson or the same group of persons. This may for example occur when theperson claims to have lost his first biometric token. One thusadvantageously prevents the multiple generations of tokens for one andthe same person or one and the same group of persons, possibly givingrise to multiple grantings of entitlements fox these persons.

In particular embodiments of the invention, a key is calculated for eachperson, then associated with the identity thereof. It may for example bea biometric key which is calculated on the basis of biometric elementsof the person, but is weakly discriminating so that the person cannoteasily be retrieved on the basis of their key. This key may also begenerated randomly, in which case it is moreover associated with thebiometry of the relevant person.

The invention furthermore proposes a system, comprising means forimplementing the abovementioned method.

When only the first phase of the method is implemented, the system maythen be likened to a device.

When, on the other hand, the method comprises the first phase ofgenerating a unique means of identification associated with at least oneperson, as well as a second phase of granting at least one entitlementto this person, the system may then comprise functional means able toimplement each of the two phases of the method within one and the samepiece of equipment, or else distinct physical entities each ensuring theimplementation of one of the two main phases of the method.

Other features and advantages of the present invention will becomeapparent in the description below of nonlimiting exemplary embodiments,with reference to the appended drawings, in which:

FIG. 1 is a diagram, already commented on, showing a known mode ofenrolling a person;

FIG. 2 is a diagram, already commented on, showing a known mode ofgranting entitlements to a person;

FIG. 3 is a diagram, already commented on, showing another known mode ofenrolling a person;

FIG. 4 is a diagram showing a mode of enrolling a person according tothe invention;

FIG. 4A is a diagram showing a first phase of a mode of enrolling aperson according to the invention;

FIG. 4B is a diagram showing a second phase of a mode of enrolling aperson according to the invention;

FIG. 5 is a diagram showing a mode of granting any entitlement to aperson as a function of their identity, according to the invention;

FIG. 6 is a diagram showing a mode of granting an entitlement to aperson independently of their identity, according to the invention;

FIG. 7 is a diagram showing a mode of enrolling a person, according to aparticular embodiment of the invention;

FIG. 8 is a diagram showing a mode of granting an entitlement to aperson as a function of their identity, according to a particular modeof the invention;

FIG. 9 is a diagram showing a mode of granting an entitlement to aperson independently of their identity, according to a particularembodiment of the invention;

FIGS. 10 and 11 are diagrams showing modes of enrolling a personaccording to other embodiments of the invention;

FIG. 12 is a simplified diagram of a system allowing the granting ofentitlements according to the invention.

FIG. 4 is a basic diagram illustrating a phase of enrollment accordingto the invention, that may possibly precede a granting of entitlements.This phase of enrollment consists in generating a unique means ofidentification of a person 22, in such a way as to avoid the problems ofgenerating multiple means of identification to one and the same personas was explained in the introduction.

According to this figure, the person 22 has biometric data of their own,this biometry 23 of the person 22 is detected and then compared with aset of biometries stored in a biometric database 26, corresponding tobiometric data of persons having already been the subject of anenrollment, that is to say already obtained a means of identification.If the biometry 23 of the person 22 matches one of the biometries storedin the database 26, this implies that the person 22 has already been thesubject of an enrollment, and therefore has already received a biometrictoken. In this case, it is for example possible to decide not tore-generate a biometric token for this person 22, or else to proceedwith additional checks. When in step 25, no match has been found betweenthe biometry 23 and the biometries stored in the base 26, this impliesthat the person 22 has not yet been the subject of an enrollment, andthis justifies the generation of a means of identification for thisperson 22. It will be noted that. the verification step 25 is especiallyreliable since it is based on biometric data which literallycharacterize the relevant person.

Moreover, the person 22 wishing to follow an enrollment procedure,states their identity 24. This identity is then the subject of averificatory check in step 27, this check possibly being of variouskinds. It is for example possible to verify the presence of the statedidentity 24 in a database 28 containing identity information on all thepersons apt to come forward for an enrollment.

The biometric token 29 ultimately generated for the person 22 is made upof the biometry 23 and of the identity 24 of this person. For example,this token comprises elements of the biometry 23, elements of theidentity 24, as well as a unique identifier of the token. This may forexample be an identity card on which fingerprints of the person 22 havebeen affixed.,

Thus, the enrollment illustrated in FIG. 4 makes it possible to generatea means of identification which is unique for a given person, in so faras a check is made in a step 25 to verify whether the relevant personhas already obtained a token. One thus prevents the granting of severalbiometric tokens to one and the same person, thereby limiting thesubsequent possibilities of use of these various tokens, for example toobtain the granting of several entitlements on the basis of the variousbiometric tokens obtained by this person.

After the generation of the biometric token 29 associated with theperson 22, the database 26 is advantageously updated to take intoaccount the biometry 23, in such a way that the person 22 can no longerobtain a biometric token during a subsequent new enrollment procedure,once the biometric token 29 has been obtained.

In an advantageous embodiment of the invention, the biometric database26 stores not only elements of biometry, but also identifiers of tokens.Thus, each biometry stored in the base 26 is associated with a biometrictoken identifier granted to the person possessing said biometry. A tiebetween the biometry verified and the token granted is thus retained,although without this tie allowing a direct correspondence betweenbiometry and identity outside of the token. Specifically, the identifierof a biometric token is not kept in the identities verificationdatabase, but it is for example incorporated with the biometric tokenitself.

In this embodiment, it is therefore appropriate, with reference to FIG.4, once the biometric token 29 has been generated for the person 22, toassociate the biometry 23 of the person 22 with an identifier of thebiometric token 29 (step 30), and then to store the identifier of thetoken 29 in association with the biometry 23 in the biometric database26.

It will be noted, that in the example described with reference to FIG.4, a biometric token 29 has been generated so as to be associated with aperson 22. However, it is also possible to generate a biometric tokenfor a set of persons. For example, a unique token can be generated for agroup of persons having a tie between them, such as a family. In thiscase, the biometric token generated will advantageously bear biometryand identity elements relating to each of the persons of the group.

FIGS. 4A and 4B illustrate a variant embodiment for the enrollmentphase, in which the unique means of identification associated with aperson or with a given group of persons is generated in two stages.

The person 107 of FIG. 4A possesses a biometry 108. As in the previouscase, in a step 109, a search is performed to establish whether a tokenhas already been allocated for this biometry 108, for example byverifying the presence of this biometry in a database of biometries 110.If no token has yet been allocated to the biometry 108, one is generatedon the basis of the biometry 108 of the person 107, and the database 110is advantageously updated. Thus, the biometric token 111 is obtained onthe basis of biometric data solely at this juncture. Optionally, theidentifier of the token 111 is associated with the biometry 108 (step110), and this association is advantageously updated in the database110.

In a second stage, a person 113, who may for example be the same personas the person 107 of FIG. 4A, can have an identity added to thebiometric token which was previously associated therewith. Thus, theperson 113 of FIG. 4B presents the biometric token 115 which waspreviously associated with them. A check is done in step 116, to ensurethat the biometric token 115 is rightly in the possession of the person113. For this purpose, the matching of the biometry 114 of the person113 and the biometry on the basis of which the biometric token 115 wasgenerated is verified, this information advantageously being registeredon the token 115. Moreover, the person 113 states their identity 117.The latter is the subject of a verificatory check in step 118, forexample by searching for this identity in a database of identities 119.After verificatory checks, the identity 117 is added to the biometrictoken 115 (step 120).

The enrollment according to this embodiment thus consists of twoindependent and asynchronous phases. The biometric token associated witha person is ultimately generated on the basis of biometric data and ofidentity data, but it was possible to disclose and register these dataat different moments.

Furthermore, it is possible to implement the second phase of such anenrollment repeatedly (illustrated in FIG. 4B) , so as to registerseveral identities of different kind on one and the same biometrictoken. For example, an identity may pertain to a civil status of therelevant person, while another identity is a professional identity.

A person possessing a biometric token, which was granted to them forexample on completion of an enrollment procedure as illustrated in FIG.4, can then claim the granting of one or more entitlements. Thisgranting may be performed by virtue of the identity of the person whoclaims an entitlement, or else independently of their identity.

FIG. 5 illustrates a case of granting an entitlement to a person on thebasis of their identity. The person 31 who claims an entitlement may befor example the same person as the person 22 who has previouslyundergone an enrollment procedure. Said person possesses a biometry 32as well as a biometric token 33 which was previously associatedtherewith. A check is then carried out to verify, in a step 34, whetherthe biometry 32 of the person 31 and the biometry stored on thebiometric token 33 presented by the person 31 do indeed match. If suchis not the case, this implies that the biometric token 33 presented bythe person 31 was not generated for this person and is therefore notassociated with them. No entitlement is then granted in a case of thiskind.

On the other hand, if the biometry 32 of the person 31 and the biometryon the basis of which the biometric token 33 was generated do match,this implies that the token 33 is rightfully in the possession of theperson 31. The identity of the person 31 is retrieved from the biometrictoken on which it is registered (step 35). A check is then carried outto verify that the entitlement claimed has not already been granted tothe person 31 on the basis of their identity (step 36). For thispurpose, a check is made to verify the presence, in a database 37 of theidentities, storing the identities of all the persons having alreadyobtained the relevant entitlement, of the identity retrieved in step 35.It will be noted that should the granting relate to a set of distinctentitlements, the database 37 of the identities stores the identities ofthe persons having already obtained the granting of an entitlement fromamong the set of entitlements, in conjunction with this entitlement, insuch a way as not to prevent a person having already obtained anentitlement of said set of entitlements from getting another one grantedsubsequently.

If the identity retrieved in step 35 does not appear in the base 37, inconjunction with the entitlement claimed by the person 31, this impliesthat this person has not yet been granted the entitlement that they areclaiming. The granting of this entitlement is then carried out in step38. In the converse case, no entitlement is granted to the person 31,since the latter has already obtained it previously. When theentitlement claimed by the person 31 is granted in step 38, the database37 is then updated to take account of this information, that is to saythat the identity 35 of the person 31 is stored in the database 37 inconjunction with the entitlement granted.

In the example described with reference to FIG. 5, one seeks to grant anentitlement to a given person just once. However, it is also conceivableto grant an entitlement a predetermined number of times for a givenperson or a group of given persons. In this case, it may be advantageousto store moreover, in the database 37, an indication relating to thenumber of actual grantings of an entitlement for each identity inconjunction with said entitlement. A check is then made to verify instep 36 whether the entitlement claimed by the person 31 has alreadybeen obtained for the identity retrieved in step 35, a number of timesequal to the predetermined number. One thus ensures that the entitlementwill not be granted to the person 31 a greater number of times than saidpredetermined number.

FIG. 6 illustrates an embodiment of the phase of granting one or moreentitlements for one or more persons, in which the granting is performedindependently of the identity of the person. A person 39 having abiometry 40 and possessing a biometric token 41, claims an entitlement.As in the previous case, the biometry 40 and that on the basis of whichthe biometric token 41 was obtained, for example in an enrollmentprocedure, and which is advantageously stored on the token 41, arecompared in step 42. If the biometries match, this implies that thebiometric token 41 is rightly associated with the person 39. Theidentifier of the biometric token 41, which is advantageously registeredon the biometric token itself, is then detected in a step 43.

Then in step 44, a check is made to verify whether the entitlementclaimed by the person 39 has already been obtained for such a tokenidentifier. For this purpose, a database 45 storing the identifiers oftokens of all the persons having obtained an entitlement isadvantageously consulted, the identifier of tokens being stored inconjunction with the entitlement granted for this identifier. When theentitlement has not yet been obtained for such an identifier, theentitlement claimed by the person 39 is then granted thereto during astep 46, then this granting information is taken into account by theaddition of the identifier of the token obtained in step 43 to thedatabase 45 in conjunction with the entitlement granted.

Thus, the entitlement claimed by the person 39 has been granted theretowithout the identity of this person ever being detected or stored. Thisembodiment is especially beneficial when the entitlement may be claimedby a set of persons by virtue of their capacity, for example the membersof an association of anonymous persons.

As in the case described with reference to FIG. 5, the entitlementgranted to the person 39 according to the embodiment of FIG. 6, could begranted a predetermined number of times, rather than in a unique manner.In this case, the number of grantings of an entitlement for one and thesame token identifier is advantageously the subject of an additionalentry in the database 45.

The granting of an entitlement according to the embodiments illustratedin FIGS. 5 and 6 is therefore controlled, in so far as each personrequesting the granting of an entitlement obtains a unique biometrictoken during a prior phase of enrollment, then the entitlement isgranted thereto conditionally by virtue of information available fromthis biometric token. The chances of granting an entitlement only apredetermined number of times to one and the same person are thusincreased.

Furthermore, the mechanism described above allows effective separationof the biometric data on the one hand and of the identity of the personson the other hand. Specifically, none of the databases used in theenrollment phase, as in the entitlements granting phase, contains bothbiometry information and information relating to identities of persons.Only the biometric token generated during the enrollment phase inrelation to a given person, contains a tie between the biometry and theidentity of this person, so that this tie is not generally availableother than from said person.

As far as the means for implementing the invention are concerned, afirst entity 105 can be charged with the implementation of theenrollment phase. In this case, this entity 105 is then a device whichcoincides with the overall system 104.

If the second phase of granting entitlements is moreover implemented, asecond entity 106 is charged with granting entitlements, as has beenrepresented diagrammatically in FIG. 12. The overall system 104 thenconsists of two distinct entities 105 and 106 and it allows the grantingof entitlements. Each of the entities, within the system 104, canoperate independently, that is to say that a person can request in afirst stage that they be assigned a biometric token. This operation isthen carried out with the aid of the entity 105. Next, said person canrequest the granting of an entitlement immediately following theirenrollment, or, on the contrary, well after their enrollment. Thegranting of the entitlement is then performed by the entity 106. Inother embodiments set forth below, interactions are possible between thetwo entities 105 and 106.

As a variant, the system 104, allowing the granting of the entitlements,can group together within a single piece of equipment first functionalmeans able to implement the enrollment phase described hereinabove (105then designates these first functional means), and second functionalmeans able to grant entitlements in accordance with the second phasedescribed hereinabove (106 then designates these second functionalmeans).

The embodiments of the invention that were described above, do not makeit possible, however, to totally eradicate the risk of a person possiblygetting associated with several biometric tokens, and possiblysubsequently having the same entitlement granted several times, doing soby declaring several different identities.

Specifically, if the person 22 of FIG. 4 has obtained a unique biometrictoken 29 on completion of an enrollment phase, then claims to have losttheir token 29, they can undergo a new enrollment phase in the course ofwhich they state a new identity, different from the identity 24previously declared. If the step of verifying the identity 27 is notsufficiently reliable, as is sometimes the case in reality, it ispossible for the person 22 to obtain a new biometric token generatedfrom his biometry 23 and from the new identity that they have declared,This same person can then obtain the granting of an entitlement thatthey had already obtained, for example according to the principlesdescribed with reference to FIG. 5 or to FIG. 6, since no entitlementhas yet been granted for the new identity declared by the person 22, norfor the identifier of the token newly obtained by this person.

FIG. 7 shows an embodiment of the enrollment phase aimed at prohibitingthe generation of several biometric tokens for one and the same personon the basis of different identities, and hence at reducing the risks ofmultiple granting of one and the same entitlement to this same person,on the basis of their various identities declared. Thus, according toFIG. 7, the person 47 can obtain a first unique biometric token 56 onthe basis of their biometry 48 and of the identity 49 that they stateduring their first enrollment, in a similar manner to what was describedwith reference to FIG. 4. It is henceforth considered that this sameperson 47 attempts to have a new biometric token allocated by stating anew identity 49. In this case, step 50 detects that a biometric tokenhas already been allocated to this person by retrieving the biometry 48of the person 47 from the database 51 storing the biometries of thepersons having already obtained a token, these biometries beingassociated in the base with an identifier of the respective token.

A check is then made to verify the new identity 49 stated by the person47 in step 52. Given the existing risks that the person 47 states adifferent identity 49 from that that they had stated during their firstenrollment, the verification of the identity of step 52 isadvantageously performed with enhanced reliability in this case, forexample by querying a database 53 of the identities containing multipleinformation on the identity of the persons. If the identity 49 stated bythe person 47 is erroneous, it is then possible to choose not togenerate a new biometric token for this person.

Furthermore, when step 50 has revealed that a token had already beenallocated to the person 47, the identifier of the biometric token whichhad been previously obtained by this person 47 is revoked (step 54).This revocation may be done by registering the old token identifierassociated with the person 47, that is to say the identifier of thebiometric token previously obtained by the person 47, in a list ofrevoked identifiers 55.

This list may be stored in a database. When the system allowing thegranting of the entitlements comprises two distinct entities (one forgenerating the tokens and another for actually granting theentitlements), the database containing the list of revoked identifiers55 must be consultable by the entity charged with the granting of theentitlements (entity 106 in FIG. 12).

As a variant, the list of revoked identifiers 55 set up by the entityimplementing the enrollment phase (entity 105 in FIG. 12) is transmittedto the entity charged with the granting of the entitlements (entity 106in FIG. 12). This transmission may be done according to diverse modes.For example, it may be done periodically, the complete list of revokedidentifiers being transmitted at each period, or else only the revokedidentifiers added to the list 55 since the last period are transmittedduring a new period. It is again possible to transmit each revokedidentifier to the entity charged with the granting of the entitlementsas soon as this identifier is added to the list 55, so as to haveinstantaneous transmission of the revoked identifiers.

The revocation of the identifier of the biometric token previouslygenerated for the person 47 thus makes it possible to prevent the person47 from being able to have two different biometric tokens in force.

A subsequent granting of the entitlements is then conditioned by thefact that the biometric token presented by a person is indeed in force.FIG. 8 illustrates such a mode of granting an entitlement. A person 59having a biometry 60 as well as a biometric token 61 claims the grantingof one or more entitlements. As in the above-described cases ofgranting, a check is made in step 62 to verify a match between thebiometry 60 and that stored on the biometric token 61 generated during aprior enrollment phase. When the biometries match, a check is carriedout, in a step 63, to verify whether the identifier of the biometrictoken 61 associated with the person 59 is in force or else if it hasbeen previously revoked. For this purpose, a check is carried out toverify the presence or the absence of the identifier of the biometrictoken 61 in a list of revoked identifiers 64.

The list of revoked identifiers 64 is obtained on the basis of the listof revoked identifiers 55. For example, when the list of revokedidentifiers 55 has been stored in a database accessible from the entity(physical or functional) charged with the granting of the entitlements,the list 64 is then the same as the list 55, and it suffices to consultsaid database to conclude the revocation or non-revocation of therelevant biometric token. As an alternative, the list 64 is differentfrom the list 55, but it is updated on the basis of the latter duringthe transmission of revoked identifiers to a memory space of the entitycharged with the granting of the entitlements, said transmissionpossibly being instantaneous or periodic, partial or complete, asindicated hereinabove.

If, in step 63, it is concluded that the identifier of the biometrictoken 61 used by the person 59 has been revoked, it is then possible tochoose not to grant the entitlement claimed to the person 59. On thecontrary, if the identifier of the biometric token 61 associated withthe person 59 is indeed in force, one then proceeds as in the casedescribed previously with reference to FIG. 5, to grant the entitlementto the person 59 during a step 68, after having verified that theidentity 65 of the person 59 registered on the biometric token 61 hasnot already been the subject of the granting of the same entitlement,once or, more generally, a predetermined number of times.

In the embodiment illustrated in FIG. 9, an entitlement claimed isgranted to a person 69 on the basis of the identifier of the biometrictoken 71 associated therewith, as in the case described previously withreference to FIG. 6. As in the case illustrated in FIG. 8, a check ismade in step 73 to verify that the identifier of the biometric token 71has not previously been revoked, by querying a list of revokedidentifiers 74 compiled on the basis of the previously described list ofrevoked identifiers 55,

The embodiments of the invention that were described above do notexclude the possibility that a person might usurp the identity ofanother person and thus obtain a biometric token relating to thisusurped identity, to the detriment of this other person. If the person47 of FIG. 7 has obtained a first biometric token 56, then claims tohave lost it, said person may then be the subject of a new enrollmentphase in the course of which they state the identity of another person47′. If the verification of the identity of step 52 is not sufficientlyreliable, it is then possible for the person 47 to obtain a newbiometric token generated on the basis of their own biometry 48 and ofthe identity of the person 47′.

To avoid this situation, it is possible to proceed according to one ofthe embodiments illustrated in FIGS. 10 and 11. FIG. 10 shows a person78 having a biometry 79 and an identity 80 that they state forverification in step 87. If it is noted, while searching for thebiometry 79 in a database 83 containing the biometries of all thepersons having already obtained a token, the biometries beingrespectively associated with identifiers of corresponding tokens, thatthe person 78 has never requested the generation of a biometric token,then a biometric token 84 is generated on the basis of the biometry 79of the person 78 and of the identity 80 that they have declared andwhich has been verified in step 87. The biometry 79 of the person 78 isthen associated with the identifier of the biometric token 84 (step 85)so as to be the subject of a new entry in the database 83.

Furthermore, a biometric key relating to the person 78 is calculated(step 86). This biometric key is a code generated in a robust andreproducible manner, apt for characterizing the person 78 sufficientlyfor the latter to have a different key value from any other person witha chosen predetermined level of probability, but not sufficientlycharacterizing to make it possible to retrieve the biometric datarelating to the person 78.

By way of example, the biometric key can take a few tens or a fewhundreds of different values, when the number of persons apt to claimthe granting of entitlements is a population of a few million or a fewtens of millions of persons. It may for example take as a value a letterof the alphabet between A and Z (26 different values) or else a numberwith two digits between 00 and 99 (100 different values).Advantageously, the number of values of the biometric key is adapted tothe calculational power necessary to calculate all the combinations bybrute force.

The biometric key is calculated on the basis of biometric elements ofthe relevant person. For example, if the biometric data 79 used toidentify the person 78 are fingerprints, the biometric key calculated instep 86 for this person 78 can be obtained on the basis of a coding ofthe general shape of each print of the fingers of this person 78, givenof course that this coding makes it possible to obtain an almost uniformdistribution of the codes for the various possible shapes of thefingerprints. As a variant, the biometric data 79 of interest of theperson 78, relate to the iris of the eye of the person 78. In this case,the biometric key could be calculated advantageously according to astatistical operation based on the coding of the iris.

Once the biometric key has been calculated for the person 78, theidentity of the person 78 is retrieved from the token 84 generated forthis person (step 92). Next, the biometric key obtained in step 86 isstored in a database 89, while linking it to the identity of the person78. This amounts to saying that the database 89 stores the whole set ofidentities of the persons apt to request the granting of theentitlements, each identity being associated with a biometric key of thecorresponding person. In this kind of case, information regardingidentities is then stored in conjunction with biometry information,However, given the above-described weakly discriminating mode ofcalculation of the biometric key, it is not to be feared that therelation stored in the base 89 may make it possible to retrieve theidentity of a person on the basis of their biometry, or vice versa.

If subsequently, the person 78 usurps the identity of another person andwishes to have a biometric token generated on the basis of this usurpedidentity, one proceeds as follows: after having detected that. theperson 78 had already had a biometric token allocated (step 82), thebiometric key 81 associated with the person 78 is calculated. Next, onthe basis of the identity 80 declared by the person 78, a check isperformed to verify this identity, if possible in a more reliable mannerthan in the current case (step 87). Then, in step 88, the biometric key81 is compared with the biometric key associated with the identity 80stated by the person 78 in the database 89.

If the biometric keys compared are identical, it is then possible toconclude therefrom with a reasonable degree of certainty that theidentity 80 is indeed that of the person 78. On the other hand, if thebiometric keys compared differ from one another, the identity 80 statedby the person 78 is certainly usurped. In the latter case, it is thenpossible to choose not to generate new biometric tokens to the person 78on the basis of this usurped identity.

As in the embodiment described above with reference to FIG. 7, it ispossible to revoke the identifier of the old biometric token associatedwith the person 78 (step 90), when it has been concluded that theidentity 80 stated by the person 78 was right on completion of steps 87and 88. For this purpose, the old token identifier is added to a list ofrevoked identifiers 91, said list possibly being transmitted to anentity (physical or functional) charged with the actual granting of theentitlements.

In a variant embodiment, illustrated in FIG. 11, a person 93 has abiometric token 98 generated, whilst no biometric token had beenassociated with this same person previously. Next, a random key iscalculated for this person 93 (step 99), which is stored on the onehand, in a biometric database 97, in conjunction with the biometry 94 ofthe person 93, and on the other hand, in a database of the identities101, in conjunction with the identity of the person 93 obtained from thebiometric token 98 generated for this person.

If the person 93 undergoes a new enrollment phase, step 96 detects thata biometric token has already been associated with this person in thepast, by consulting the database 97, on the basis of the biometry 94.Next, a particularly careful check is performed to verify the identity95 stated by the person 93 (step 100). Also, a comparison is performedbetween the random keys stored in the database 97 for the biometry 94,and in the database 101 for the identity stated 95 (step 102).

If the random keys stored in the databases 97 and 101 respectively, arenot mutually consistent, it is possible to conclude therefrom with areasonable degree of certainty that the identity 95 stated by the person93 during this second enrollment has been usurped and thereforecorresponds to the identity of another person having already themselvesundergone an enrollment phase.

Conversely, if step 102 indicates that the random keys stored in thedatabases 97 and 101 are identical, it is then probable that theidentity 95 stated by the person 93 during this second enrollment isindeed the identity of this person, and not a usurped identity. In thiscase, it is possible to choose to generate a new biometric token 103 forthe attention of the person 93, replacing the token which had previouslybeen allocated to them.

Although not represented in this figure, it is of course possible as inthe cases described above, to revoke the identifier of the old biometrictoken which had been associated with the person 93, in such a way thatthis person only has one token in force at a time.

In the embodiment of the invention illustrated in FIG. 11, thecalculation of the key in step 99 is totally random, thereby limitingthe risks of fraud consisting in searching, on the basis of biometricdata of a person, for a corresponding key.

It is also noted in this latter embodiment that an identical field (therandom key) is stored both in a biometric database 97 and in a databaseof identities 101. However, the random key being calculated in such away as to be weakly discriminating (it may for example take between afew tens and a few hundred different values, as in the case describedabove), it is impossible for a person having access to the databases 97and 101 to retrieve with certainty a correspondence between the biometryand the identity of a person solely on the basis of the random key.

1. A method of identification control of persons, comprising a phase ofgenerating a unique means of identification associated with at least oneperson comprising the following steps: /a/ detecting biometric datarelating to said person; /b/ searching for a match between the biometricdata relating to said person and biometric data previously stored in abiometric database, the biometric database not containing identities ofpersons in association with the biometric data stored, said previouslystored biometric data relating to persons for which means ofidentification have been previously generated; and, when no match hasbeen found: /c/ generating a means of identification associated withsaid person from biometric data relating to said person and at least oneidentity of said person.
 2. The method as claimed in claim 1, comprisingfurthermore the step: /d/ adding the biometric data relating to saidperson to the biometric database.
 3. The method as claimed in claim 2,in which, during step /d/, the biometric data are added to the biometricdatabase in association with a unique identifier of said means ofidentification associated with said person.
 4. The method as claimed inclaim 1, furthermore comprising a step of verification of the identityof said person.
 5. The method as claimed in claim 4, in which theverification of the identity is reinforced for a person for which amatch has been found in step /b/.
 6. The method as claimed in claim 1,in which the generation, in step /c/, of a means of identificationassociated with said person is performed firstly from biometric datarelating to said person, then supplemented with the addition of at leastone identity of said person.
 7. The method as claimed in claim 1, inwhich the phase of generating a unique means of identificationassociated with said person furthermore comprises the following steps:calculating a key associated with said person, the key being able totake a much smaller number of values than the number of persons apt torequire the generation of a unique means of identification, and highenough for any two persons to be associated with different keys, with apredetermined level of probability; and storing said key in a databaseof the identities in association with an identity of said person.
 8. Themethod as claimed in claim 7, in which the number of values of the keyis chosen in such a way as to take account of the calculational powernecessary to calculate all the combinations by brute force.
 9. Themethod as claimed in claim 7, in which the number of values of the keylies substantially between a few tens and a few hundreds when the numberof persons apt to require the generation of a unique means ofidentification is a few million or tens of millions.
 10. The method asclaimed in claim 7, in which the calculation of the key is performedfrom biometric data relating to said person.
 11. The method as claimedin claim 10, in which the calculation of the key is performed from thegeneral form of the prints of certain fingers at least of said person.12. The method as claimed in claim 10, in which the calculation of thekey is performed from information relating to the iris of the eye ofsaid person.
 13. The method as claimed in claim 10, comprising thefollowing steps, when a match has been found in step /b/: obtaining anidentity of said person; calculating the key associated with saidperson; comparing the calculated key with the key stored in the databaseof identities in association with the identity obtained for said person;and selectively implementing step /c/ as a function of the result of thecomparison between said calculated and stored keys.
 14. The method asclaimed in claim 7, in which the calculation of the key is random. 15.The method as claimed in claim 14, in which moreover the key is storedin the biometric database in association with the biometric datarelating to said person.
 16. The method as claimed in claim 15,comprising the following steps, when a match has been found in step /b/:obtaining an identity of said person; obtaining the key stored in thebiometric database in association with the biometric data relating tosaid person; comparing the key obtained with the key stored in thedatabase of identifies in association with the identity obtained forsaid person; and selectively implementing step /c/ as a function of theresult of the comparison between said keys.
 17. The method as claimed inclaim 1, furthermore comprising a second phase of granting at least oneentitlement to said person, in which: /e/ said person identifiesthemselves with the aid of the means of identification which has beenpreviously associated therewith; and /f/ said entitlement is granted tosaid person when said entitlement has not already been granted to saidperson a number of times equal to a predetermined number
 18. The methodas claimed in claim 17, in which step /e/ comprises a comparison betweenbiometric data relating to said person and the biometric data from whichthe means of identification associated with said person has beengenerated.
 19. The method as claimed in claim 17, in which step /f/comprises the consultation, in a database of entitlements, of theentitlements already granted to persons, on the basis of an identifier.20. The method as claimed in claim 19, in which said identifier is anidentity of said person, obtained from the means of identificationassociated with said person.
 21. The method as claimed in claim 19, inwhich said identifier is a unique identifier of the means ofidentification associated with said person, this identifier beingincorporated into said means of identification associated with saidperson.
 22. The method as claimed in claim 17, in which when a match hasbeen found in step /b/, the unique identifier of the means ofidentification associated with said person which was stored in thebiometric database in association with the biometric data relating tosaid person is added to a first list of the identifiers of the revokedmeans of identification, and, in which step /f/ is selectivelyimplemented depending on whether the identifier of the means ofidentification with which said person is identified is or is not storedin a second list of the identifiers of the revoked means ofidentification.
 23. The method as claimed in claim 22, in which thephases of generating a unique means of identification associated withsaid per son and of granting at least one entitlement to said person areimplemented by a first and a second entity respectively, and in whichthe first list of the identifiers of the revoked means of identificationis stored on a database of the identifiers of the revoked means ofidentification that can be consulted by the second entity, the secondlist of the identifiers of the revoked means of identification thenbeing identical to the first list of the identifiers of the revokedmeans of identification.
 24. The method as claimed in claim 22, in whichthe phases of generating a unique means of identification associatedwith said person and of granting at least one entitlement to said personare implemented by a first and a second entity respectively, and inwhich the identifiers added to the first list of the identifiers of therevoked means of identification are transmitted from the first entity tothe second entity to update the second list of the identifiers of therevoked means of identification
 25. The method as claimed in claim 24,in which the transmission of the identifiers from the first entity tothe second entity is performed according to at least one of thefollowing mechanisms: by periodic transfer of said identifiers added tothe first list of the identifiers of the revoked means of identificationsince the last transfer, or by periodic transfer of the whole set ofidentifiers stored in the first list of the identifiers of the revokedmeans of identification, or by instantaneous transfer of each identifierupon its addition to the first list of the identifiers of the revokedmeans of identification.
 26. A system of identification control ofpersons, for generating a unique means of identification associated withat least one person, the system comprising: /a/ means for detectingbiometric data relating to said person; /b/ means for searching for amatch between the biometric data relating to said person and biometricdata previously stored in a biometric database, the biometric databasenot containing identities of persons in association with the biometricdata stored, said previously stored biometric data relating to personsfor which means of identification have been previously generated; and,/d/ means for, when no match has been found, generating a means ofidentification associated with said person from biometric data relatingto said person and at least one identity of said person.
 27. (canceled)28. The system as claimed in claim 26, furthermore comprising: /d/ meansfor adding the biometric data relating to said person to the biometricdatabase.
 29. The system as claimed in claim 28, in which the means /d/are such that the biometric data are added to the biometric database inassociation with a unique identifier of said means of identificationassociated with said person.
 30. The system as claimed in claim 26,furthermore comprising means of verification of the identity of saidperson
 31. The system as claimed in claim 30, in which the means ofverification of the identity are such that the verification of theidentity is reinforced for a person for which a match has been found bythe means /b/.
 32. The system as claimed in claim 30, in which the meansfor generating a means of identification associated with said person alearranged such that the generation of a means of identification isperformed firstly from biometric data relating to said person, thensupplemented with the addition of at least one identity of said person.33. The system as claimed in claim 30, furthermore comprising: means forcalculating a key associated with said person, the key being able totake a much smaller number of values than the number of persons apt torequire the generation of a unique means of identification, and highenough for any two per sons to be associated with different keys, with apredetermined level of probability; and means for storing said key in adatabase of the identities in association with an identity of saidperson.
 34. The system as claimed in claim 33, in which the number ofvalues of the key is chosen in such a way as to take account of thecalculational power necessary to calculate all the combinations by bruteforce.
 35. The system as claimed in claim 33, in which the number ofvalues of the key lies substantially between a few tens and a fewhundreds when the number of persons apt to requite the generation of aunique means of identification is a few million or tens of millions. 36.The system as claimed in claim 33, in which the means for calculatingare such that the calculation of the key is performed from biometricdata relating to said person
 37. The system as claimed in claim 36, inwhich the means for calculating are such that the calculation of the keyis pet formed from the general form of the prints of certain fingers atleast of said person.
 38. The system as claimed in claim 36, in whichthe means for calculating ate such that the calculation of the key isperformed from information relating to the iris of the eye of saidperson.
 39. The system as claimed in claim 36, comprising: means forobtaining an identity of said person; means for calculating the keyassociated with said person; means for comparing the calculated key withthe key stored in the database of identities in association with theidentity obtained for said person; and means for selectivelyimplementing the means /c/ as a function of the result of the comparisonbetween said calculated and stored keys, when a match has been found bythe means /b/.
 40. The system as claimed in claim 33, in which the meansfor calculating ate such that the calculation of the key is random. 41The system as claimed in claim 40, further comprising means for storingthe key in the biometric database in association with the biometric datarelating to said person.
 42. The system as claimed in claim 41,comprising: means for obtaining an identity of said person; means forobtaining the key stored in the biometric database in association withthe biometric data relating to said person; means for comparing the keyobtained with the key stored in the database of identifies inassociation with the identity obtained for said person; and means forselectively implementing the means /c/ as a function of the result ofthe comparison between said keys, when a match has been found by themeans /b/.
 43. The system as claimed in claim 26, furthermorecomprising, for granting at least one entitlement to said person: /e/means for said person to identify themselves with the aid of the meansof identification which has been previously associated therewith; and/f/ means for granting said entitlement to said person when saidentitlement has not already been granted to said person a number oftimes equal to a predetermined number
 44. The system as claimed in claim43, in which the means /e/ comprise means for comparing betweenbiometric data relating to said person and the biometric data from whichthe means of identification associated with said per son has beengenerated.
 45. The system as claimed in claim 43, in which the means /f/comprise means for consulting, in a database of entitlements, theentitlements already granted to persons, on the basis of an identifier.46. The system as claimed in claim 45, in which said identifier is anidentity of said person, obtained from the means of identificationassociated with said person.
 47. The system as claimed in claim 45, inwhich said identifier is a unique identifier of the means ofidentification associated with said person, this identifier beingincorporated into said means of identification associated with saidperson
 48. The system as claimed in claim 43, comprising means foradding the unique identifier of the means of identification associatedwith said person which was stored in the biometric database inassociation with the biometric data relating to said person to a firstlist of the identifiers of the revoked means of identification, andmeans for selectively implementing the means /f/ depending on whetherthe identifier of the means of identification with which said person isidentified is or is not stored in a second list of the identifiers ofthe revoked means of identification, when a match has been found by themeans /b/.
 49. The system as claimed in claim 26, comprising a firstentity designed to implement means for participating in generating aunique means of identification associated with at least one person, anda second entity designed to implement means for participating ingranting at least one entitlement to at least one person.